Securing cloud assets

In this post, I’m going to point out the ways in which you can access your assets (VMs, Storage, DBs) in the cloud securely. This is no different than accessing the assets in your corporate network. The goal is to make you feel comfortable about having your assets in the cloud.

To accomplish anything meaningful, you would need at least one server, a VM (if you are going IaaS) and may be storage as well. The basic level of access restriction can be achieved with AWS IAM and Azure AD. You can restrict and control access to your storage and other assets with different users.

The first and foremost activity is to form a network (virtual) and keep your servers inside that network. A network helps you to group your assets, so all security actions you take can be applied equally on all the constituents rather than doing it on individual assets. Forming a network also enables / helps in free flow of access among its constituents (like an economic bloc). Now, this network need to be protected from the rest of the world. The Security groups will help you define the rules on enabling and blocking access.

Now that you created a network and setup rules, since this whole network lives outside your corporate network location, you need access to it first. There are many ways to accomplish this. The basic and rudimentary approach is to restrict access to this virtual network in the cloud to specific IP addresses (location 1, location 2, etc). However, in this method, though the access is limited to specific IP addresses, the traffic is over the internet and there is no security.

The next level is setting up a VPN. If you are in development mode or access is limited to specific small set of individuals you can setup Point-to-Site (P2S in the Azure world). However, if you want your entire corporate network to be able to connect to the virtual network in the cloud, you can setup Site-to-Site VPN. In both scenarios, the traffic is encrypted but you still are going over public internet. Thus your speed, latency, SLA all limited to the bandwidth & SLA of your ISP. If you are not happy with that, you can try something in AWS it is called Direct Connect and in Azure it is Express Route. This is not public internet but a dedicated pipe, you can call up providers like AT&T, Level3, the cable companies, they will be happy to provide. In addition to this, most of the Datacenter providers such as Sungard, Datapipe, IO offer direct connect between their datacenters and AWS, Azure and other cloud providers.

You can see, how this is no different than working from home and connecting to your corporate network. If you have enabled your employees to work from home, then you are ready for cloud.